To support smart card redirection on RHEL 7.x desktops, integrate the base virtual machine (VM) with your Active Directory (AD) domain using the Samba and Winbind solutions.

Use the following procedure to integrate a RHEL 7.x VM with your AD domain for smart card redirection.

Some examples in the procedure use placeholder values to represent entities in your network configuration, such as the DNS name of your AD domain. Replace the placeholder values with information specific to your configuration, as described in the following table.

Placeholder Value Description
dns_IP_ADDRESS IP address of your DNS name server
mydomain.com DNS name of your AD domain
MYDOMAIN.COM DNS name of your AD domain, in all capital letters
MYDOMAIN DNS name of the workgroup or NT domain that includes your Samba server, in all capital letters
ads-hostname Host name of your AD server
Note: Smart card redirection is supported on desktops running RHEL 7.2 or later.

Procedure

  1. On the RHEL 7.x VM, install the required packages.
    # yum install nscd samba-winbind krb5-workstation pam_krb5 samba-winbind-clients authconfig-gtk
  2. Edit the network settings for your system connection. Open the NetworkManager control panel and navigate to the IPv4 Settings for your system connection. For IPv4 Method, select Automatic (DHCP) . In the DNS text box, enter the IP address of your DNS name server. Then click Apply.
  3. Run the following command and verify that it returns the Fully Qualified Domain Name (FQDN) of the RHEL 7.x VM.
    # hostname -f
  4. Edit the /etc/resolv.conf configuration file, as shown in the following example.
    search mydomain.com
    nameserver dns_IP_ADDRESS
  5. Edit the /etc/krb5.conf configuration file, as shown in the following example.
    [libdefaults]
          dns_lookup_realm = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
          rdns = false
          default_realm = MYDOMAIN.COM
          default_ccache_name = KEYRING:persistent:%{uid}
    
    [realms]
          MYDOMAIN.COM = {
                kdc = ads-hostname
                admin_server = ads-hostname
                default_domain = ads-hostname
          }
    
    [domain_realm]
          .mydomain.com = MYDOMAIN.COM
          mydomain.com = MYDOMAIN.COM
  6. Edit the /etc/samba/smb.conf configuration file, as shown in the following example.
    [global]
          workgroup = MYDOMAIN  
          password server = ads-hostname
          realm = MYDOMAIN.COM
          security = ads
          idmap config * : range = 16777216-33554431
          template homedir =/home/MYDOMAIN/%U
          template shell = /bin/bash 
          kerberos method = secrets and keytab
          winbind use default domain = true
          winbind offline logon = false 
          winbind refresh tickets = true
     
          passdb backend = tdbsam
  7. Open the authconfig-gtk tool and configure settings as follows.
    1. Select the Identity & Authentication tab. For User Account Database, select Winbind.
    2. Select the Advanced Options tab, and select the Create home directories on the first login check box.
    3. Select the Identity & Authentication tab and then click Join Domain. At the alert asking you to save changes, click Save.
    4. When prompted, enter the user name and password of the domain administrator, and click OK.
    The RHEL 7.x VM is joined to the AD domain.
  8. Set up ticket caching on PAM Winbind. Edit the /etc/security/pam_winbind.conf configuration file so that it includes the lines shown in the following example.
    [global]
    
    # authenticate using kerberos
    ;krb5_auth = yes 
    
    # create homedirectory on the fly
    ;mkhomedir = yes  
  9. Restart the Winbind service.
    # sudo service winbind restart
  10. To verify the AD join, run the following commands and ensure that they return the correct output.
    • net ads testjoin
    • net ads info
  11. Restart the RHEL 7.x VM and log back in.

What to do next

Set Up Smart Card Redirection on a RHEL 7.x Virtual Machine